DDOS ATTACKS & ATTACK TOOLS
1.1 General Description
During the last few years, in their increasing effort to raise havoc, the world wide community of hackers (also known as "crackers") started developing attack platforms for lunching global Internet scale coordinated DDoS attacks.
Most of these tools were designed using client-server (master and slave) architecture. The attack network consists of large quantities of attack daemons, small software agents, capable of receiving command and generating different kind of packets (usually simulating some sort of attack). Those daemons are centrally controlled by a single or few master applications, servers capable of generating the required attack commands thus controlling the attack and the targets.
The attacker can use the server application to order the attack.
1.2 Command Distribution Methods
1.2.1 Peer to Peer Distribution
In this architecture the master is aware (has knowledge) of all available daemons. Either through lists of infected intermediate hosts constructed and administrated by hackers which installed them or by "keep alive" messages sent by the daemons upon installation to a predefined location.
When distributing an attack command the master connects all the required daemons by sending them command packets.
1.2.2 Broadcast or Multicast Distribution
In this architecture the master uses some sort of broadcast mechanism to connect and distribute attack commands.
Due to broadcast packets filtering done by edge and core routers the most popular method for broadcasting commands is using an application based protocol which provides multicast features, such as IRC protocol (used mainly for chat applications).
In this case when the intermediate host connects to the Internet and becomes on line. The daemon connects to a predefined IRC channel. The attacker then can connect to the IRC channel using some sort of chat application and simply type the necessary commands. IRC protocol takes the commands and distributes it to all the connected daemons.
1.3 Frequently Used Attack Tools
This distributed attack tool is installed on intermediate host using a buffer overrun bug in the popular programs: "statd", "cmsd" and others. The daemon's code was compiled on Linux and Solaris operating systems. The daemons and masters are installed on root accounts privileges.
The basic trinoo daemon is cable of generating a UDP packets attack. The following packets parameters are controllable: destination address, packets sizes, attack duration.
The attack is generated against random UDP ports on the victim's host. The contents of the packets are randomly generated from the intermediary host memory, thus packets sent from a certain daemon will have the same payload but different daemons generate different payloads. The daemon is cable of attacking multiple targets at once.
1.3.2 TFN (Tribe Flood Network)
TFN installation procedure is similar to that of Trinoo and is based on buffer overrun bug.
These tools use the same master-daemon architecture, and are capable of launching ICMP floods, UDP floods, SYN attacks, Smurf attacks and a raw TCP packet generator. The daemon's source code was compiled on Linux and Solaris operating systems. The daemons and masters are installed on root accounts privileges.
Commands used by TFN are over ICMP protocol packets using fixed packet length (17 bytes).
1.3.3 Stacheldraht ("barbed wire")
Stacheldraht is a DDoS tool that started to appear in the late summer of 1999 and combines features of trinoo and TFN. The possible attacks generated by the daemons of this tool are similar to those of TFN, namely, ICMP flood, SYN flood, UDP flood, and SMURF attacks. It does not provide an on demand root TCP port (that TFN provides).
Stacheldraht also provides some advanced features, such as encrypted attacker-master communication (which makes detection and overtaking of daemon-master communication harder) and automated daemons updates which enables changes of the attack network with no re-deployment of daemon or masters.
Stacheldraht daemon is capable of producing ICMP, UDP and TCP-SYN packets of sizes up to 1024 bytes against multiple victim hosts. TCP-SYN packets are generated against random ports taken from selected range of port numbers.
Trinity is capable of launching several types of flooding attacks on a victim host, including UDP, fragmentation, SYN, RST, ACK, and other floods. Communication from the master to the daemon is accomplished via Internet Relay Chat (IRC) or AOL's ICQ.
IRC attack daemon (including Trinity) will go online by connecting to a predefined IRC server and join a predefined IRC chat room. There it will await incoming commands. IRC chat relays are used in this matter to broadcast and distribute attack commands.
The following attack parameters are controllable: packet size (possibly random), ports (possibly random).
TFN2K is a complex variant of the original TFN with features designed specifically to make TFN2K traffic difficult to recognize and filter, remotely execute commands, hide the true source of the attack using IP address spoofing, and transport TFN2K traffic over multiple transport protocols including UDP, TCP, and ICMP.
TFN2K attacks include flooding (as in TFN) and those designed to crash or introduce instabilities in systems by sending malformed or invalid packets, such as those found in the Teardrop and Land attacks.
Commands sent between masters and daemons are sent using UDP, ICMP and TCP (or all three in random).
TFN2K generated traffic includes the following signatures: TCP and UDP header checksum contains errors, TCP header length is zero.
A Shaft network looks conceptually similar to a trinoo. It provides the ability to generate TCP, UDP and ICMP (or all three combined) floods.
The attacker may control the following parameters: packet sizes, attack type, duration of the attack, list of targeted victims.
Shaft daemons also provide statistics on the attack (mainly packets generation rates) which enables the master to refine the list of targets.
The mstream uses spoofed TCP packets with the ACK flag set to attack the target. Communication between masters and daemons is not encrypted and is performed through UDP packets, masters are controlled by TCP packets.
MStream is in early stages of development, which means it can be used for generating a limited number of attacks.
The following attack parameters are controllable: victims IP addresses, duration of the attack.
1. The DoS Project's "trinoo" distributed denial of service attack tool, David Dittrich University of Washington - http://staff.washington.edu/dittrich/misc/trinoo.analysis.txt
2. CERT® Incident Note IN-99-07 - Distributed Denial of Service Tools http://www.cert.org/incident_notes/IN-99-07.html
3. CERT® Advisory CA-1996-01 UDP Port Denial-of-Service Attack
Trinoo and TFN
4. National Infrastructure Protection Center - TRINOO/Tribal Flood Net/tfn2k http://www.nipc.gov/warnings/alerts/1999/trinoo.htm
5. SANS Institute - Distributed Denial of Service Attack Tools: trinoo and wintrinoo http://www.sans.org/newlook/resources/IDFAQ/trinoo.htm
6. Advanced Networking Management Lab (ANML), Distributed Denial of Service Attacks(DDoS) Resources - http://www.anml.iu.edu/ddos/tools.html
7. ISS Security Alert, December 7, 1999, Denial of Service Attack using the trin00 and Tribe Flood Network programs - http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?id=advise40
8. The "stacheldraht" distributed denial of service attack tool, David Dittrich, University of Washington - http://staff.washington.edu/dittrich/misc/stacheldraht.analysis.txt
General attack tools exploits
9. CERT® Incident Note IN-99-04 Similar Attacks Using Various RPC Services - http://www.cert.org/incident_notes/IN-99-04.html
10. CA-99-08 - Buffer Overflow Vulnerability in rpc.cmsd - http://www.cert.org/advisories/CA-99-08-cmsd.html
11. CA-99-05 - Vulnerability in statd exposes vulnerability in automountd - http://www.cert.org/advisories/CA-99-05-statd-automountd.html
12. CA-98.11 - Vulnerability in ToolTalk RPC Service - http://www.cert.org/advisories/CA-98.11.tooltalk.html
13. SANS Institute - "Trinity" Distributed Denil of Service Attack Tool, Michael Marchesseau - http://rr.sans.org/malicious/trinity.php
14. CERT Incident Note IN-2000-08. "Chat Clients and Network Security." CERT. 21 June 2000 - http://www.cert.org/incident_notes/IN-2000-08.html
15. X-Force. "Internet Security Systems Security Alert." Internet Security Systems. 05 September 2000 - http://xforce.iss.net/alerts/advise59.php
16. Axent releases a full TFN2K Analysis - http://www.securiteam.com/securitynews/5YP0G000FS.html
17. Analyzing Distributed Denial Of Service Tools: The Shaft Case; Sven Dietrich – NASA Goddard Space Flight Center, Neil Long – Oxford University, David Dittrich – University of Washington - http://home.adelphi.edu/~spock/lisa2000-shaft.pdf
18. SANS Institute - An Analysis of the "Shaft" Distributed Denial of Service Tool - http://www.sans.org/y2k/shaft.htm
19. The "mstream" distributed denial of service attack tool, David Dittrich, University of Washington - http://staff.washington.edu/dittrich/misc/mstream.analysis.txt
20. Nation Infrastructure Protection Center, ADVISORY 00-044 "MStream Distributed Denial of Service Tool" - http://www.nipc.gov/warnings/advisories/2000/00-044.htm